Method and system for translating natural language policy to logical access control policy

ABSTRACT

Natural language policy text is translated into logical access control policy code with a policy composer that receives natural language policy text, an attribute dictionary connected to the policy composer to define attributes and their logical access control policy equivalents. A natural language policy set is connected to the policy composer and includes samples of natural language policy rules and their logical access control policy equivalents. The policy composer uses natural language processing, the attribute dictionary and the natural language policy set to translate the natural language policy text into logical access control code.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.16/455,464, filed Jun. 27, 2019, which is hereby incorporated byreference in its entirety.

FIELD

Provided herein are methods and systems for translating natural languagepolicy text into logical access control policy code.

BACKGROUND

Requirements for stricter protection of data have led to technologicaladvancements in the field of access control that allow us to externalizeour access control policies from information systems. In many cases, theindividuals who author the information security policies are not theindividuals implementing the access control policies in these systems.Non-technical information security professionals write the accesscontrol policies in natural language in text processors that hands-ontechnical cyber security engineers must translate into code that acomputer can understand. In other cases, a graphical user interface maybe available for the implementation of information security policy. Itwould be desirable to find a way to automatically translate free-formnatural language policy text into logical access control policy code.

SUMMARY

In an embodiment, natural language policy text is translated intological access control policy code. A policy composer receives naturallanguage policy text. An attribute dictionary communicably connected tothe policy composer defines attributes and their logical access controlpolicy equivalents. A natural language policy set communicably connectedto the policy composer includes samples of natural language policy rulesand their logical access control policy equivalents. The policy composeruses natural language processing, the attribute dictionary and thenatural language policy set to translate the natural language policytext into logical access control code.

In some embodiments, the logical access control code are in eXtensibleAttribute Markup Language (XACML) or Next Generation Access Control(NGAC) format. The attribute dictionary may be populated with attributesfrom the natural language policy set or populated by user input.

One embodiment includes translating natural language policy text intological access control policy code. Natural language policy text isprovided to a policy composer. Using natural language processing, anatural language policy rule is generated from the natural languagepolicy text. The natural language policy rule is then compared to samplenatural language policy rules that are found in a natural languagepolicy set. Attributes are identified in the natural language policyrule using an attribute dictionary. The sample natural language policyrule is then populated with the determined attributes. If the populatedsample natural language policy rule is well-formed, The populated samplenatural language policy rule is translated into logical access controlcode and the logical access control code is stored in a policy archive.

Further areas of applicability of the present disclosure will becomeapparent from the detailed description, the claims and the drawings. Thedetailed description and specific examples are intended for purposes ofillustration only and are not intended to limit the scope of thedisclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure will become more fully understood from thedetailed description and the accompanying drawings, wherein:

FIG. 1 illustrates a natural language policy text translation systemaccording to an embodiment;

FIG. 2 illustrates a process of identifying natural language policyrules in a natural language policy text in accordance with anembodiment;

FIG. 3 illustrates a process of translating a natural language policyrule into logical access control code;

FIG. 4 illustrates the functions of a policy composer according to anembodiment;

FIG. 5 illustrates a process of translating a natural language policytext into XACML according to an embodiment;

FIG. 6 illustrates a process of translating a natural language policytext into NGAC according to an embodiment;

FIG. 7 illustrates a user experience of generating logical accesscontrol code according to an embodiment.

FIG. 8 illustrates a typical data center according to an embodiment,

FIG. 9 illustrates an example machine of a computer system according toan embodiment.

In the drawings, reference numbers may be reused to identify similarand/or identical elements.

DETAILED DESCRIPTION

In the following description, for purposes of explanation, specificdetails are set forth in order to provide an understanding of theinvention. It will be apparent, however, to one skilled in the art thatthe invention can be practiced without these details. Furthermore, oneskilled in the art will recognize that embodiments of the presentinvention, described below, may be implemented in a variety of ways,such as a process, an apparatus, a system, a device, or a method on atangible computer-readable medium.

Components, or modules, shown in diagrams are illustrative ofembodiments of the invention. It shall also be understood thatthroughout this disclosure that components may be described as separatefunctional units, which may comprise sub-units, but those skilled in theart will recognize that various components, or portions thereof, may bedivided into separate components or may be integrated together,including integrated within a single system or component. It should benoted that functions or operations discussed herein may be implementedas components. Components may be implemented in software, hardware, or acombination thereof.

Furthermore, connections between components or systems within thefigures are not intended to be limited to direct connections. Rather,data between these components may be modified, re-formatted, orotherwise changed by intermediary components. Also, additional or fewerconnections may be used. It shall also be noted that the terms“coupled,” “connected,” or “communicatively coupled” shall be understoodto include direct connections, indirect connections through one or moreintermediary devices, and wireless connections.

Reference in the specification to “one embodiment,” “an embodiment,”“some embodiments,” or “embodiments” means that a particular feature,structure, characteristic, or function described in connection with theembodiment is included in at least one embodiment of the invention andmay be included more than one embodiment. Also, the appearances of theabove-noted phrases in various places in the specification are notnecessarily all referring to the same embodiment or embodiments.

The use of certain terms in various places in the specification is forillustration and should not be construed as limiting. A service,function, or resource is not limited to a single service, function, orresource; usage of these terms may refer to a grouping of relatedservices, functions, or resources, which may be distributed oraggregated. Furthermore, the use of memory, database, information base,data store, tables, hardware, and the like may be used herein to referto system component or components into which information may be enteredor otherwise recorded.

Furthermore, it shall be noted that unless otherwise noted: (1) stepsmay optionally be performed; (2) steps may not be limited to thespecific order set forth herein; (3) steps may be performed in differentorders; and (4) steps may be done concurrently.

Techniques for natural language policy translation are described herein.In accordance with FIG. 1, a policy translation system 100 fortranslating natural language policy text into logical access controlcode is shown. Logical access control code format may be XACML, NGAC orany other suitable logical access control code format. A naturallanguage policy text 102 is collected by the policy translation system100. The natural language policy text 102 may include a single sentencethat defines a policy rule. The natural language policy text 120 mayinclude several sentences, sentence fragments or, indeed, any text thatdefines one or more policy rules. In one embodiment, the naturallanguage policy text 102 is collected from a variety of differentsources, such as from document files (e.g. word processor files),electronic mail, direct text input through a website, and other sources.

The collected natural language policy text 102 may include naturallanguage that is written in a variety of different ways. In oneembodiment, each of the collected policy texts 102 may use differentnatural language to describe desired access control policies. Thenatural language policy text may be written in one or more naturallanguages. The natural language policy rules embedded in the naturallanguage policy text may be written in different forms. For example, thenatural language policy rule “Alice may read Bob's files,” is equivalentto the natural language policy rule “Bob's files may be read by Alice.”Similarly, the same rule may be expressed in English, Japanese, Chinese,Korean or any other natural language.

The natural language policy text 102 is communicated to a policycomposer 104. The natural language policy text 102 may be communicatedto the policy composer 104 directly, by manual input of text, uploadedas a file or any using other means of communicating text directly. Thenatural language policy text 102 may be communicated wirelessly to thepolicy composer 104, through email, messaging or any other means ofcommunicating text indirectly. In one embodiment, natural languagepolicy text 102 may include document files (e.g., word processor files,text-editing files, etc.), direct text input (e.g., via a form on awebsite), electronic mail, and other natural language policy sources. Inone embodiment, the natural language policy text 102 may includepolicies including text written by one or more individuals.

The policy composer 104 uses an attribute dictionary 106 and naturallanguage policy sets 108 to translate the natural language policy text102 into logical access control policy code 110. The attributedictionary 106 is a database that associates words found in a naturallanguage policy text 102 with attributes used in logical access controlpolicy code 110. The attribute dictionary 106 may be created byanalyzing data found in the natural language policy sets 108, naturallanguage policy texts 102 or may be attribute data 112 input by theuser, other users, organizations or other sources. The policytranslation system 100 maintains an attribute dictionary 106 that ispopulated based on an analysis of the natural language policy text 102.In one specific example, an uploaded natural language policy text 102may include text in English associated with English NLP Set 1, text inChinese associated with Chinese NLP Set 1, text in Japanese associatedwith Japanese NLP Set 1, and text in in German associated with GermanNLP Set 1. The attribute dictionary 106 may be populated based onassociated words found in the aforementioned natural language policysets 108 by the analysis done on the text sources. Text analysisperformed by the policy composer 104 is used in conjunction with thenatural language policy sets 108 to identify the logic used in logicalaccess control policy code 112. The attributes in the attributedictionary 106 are used in conjunction with the logic determined by thepolicy composer 104 to create logical access control policy code 112that can be logically implemented. The resulting logical access controlpolicy code 112 is stored in the policies archive 114, a repository forall created policies.

The policy composer 104 uses one or more natural language policy sets108 to translate natural language policy texts 102 into logical accesspolicy code 112. The natural language policy sets 108 may includenatural language policy sets 108 specific to natural languages such asEnglish, Japanese or any other natural language. In one embodiment,access control policy translation system maintains a number of naturallanguage policy sample sets each associated with a language, such asEnglish NLP (natural language processing) Set 1, Chinese NLP Set 1,Japanese NLP Set 1, and German NLP Set 1,

The natural language policy sets 108 may be specific to organizations,branches of organization, departments of organization or any otherentity. The policy composer 104 analyzes the natural language policytext 102 and identifies appropriate natural language policy sets 108 foruse in translation. For example, a first natural language policy text102 may includes natural language that checks if an employee resides ina certain branch of their organization may be associated with EnglishNatural Language Policy Sample Set 1, a second natural language policytext 102 that includes natural language that refers to an organizationalbranch as a department may be associated with English Natural LanguagePolicy Sample Set 2, and a third natural language policy text 102 thatis written in Japanese natural language may be associated with JapaneseNatural Language Policy Sample Set 1, and so on.

The policy composer 104 receives natural language policy text 102 anduses the attribute dictionary 106 and natural language policy sets 108to identify possible access control rules (collectively referred to asrules) embedded in the natural language policy text 102

With reference to FIG. 2, a method 200 of identifying natural languagepolicy rules is shown. Starting with a natural language policy text 102in step 202, the policy composer 104 identifies the natural languageused in the natural language policy text in step 204. The policycomposer 104 identifies the type of policy in the natural languagepolicy text 102 in step 206. With the identified natural language andthe policy type, the policy composer identifies the appropriate naturallanguage policy sets 108 in step 208. By comparing the natural policylanguage text 102, the appropriate natural language policy sets 108, andthe attribute dictionary 106, the policy composer 104 identifies thepossible attributes present in the natural language policy text 102 instep 210. The policy composer 104 then identifies the possible naturallanguage policy rules in the natural language policy text in step 212.

With reference to FIG. 3, a method 300 of translating each of thenatural language policy rules found in the natural language policy text102 into logical access control code 112. Taking each identified naturallanguage policy rule in step 302, the policy composer 104 uses thenatural language policy sets 108 and identifies possible naturallanguage policy rule matches with natural language rule samples in thenatural language rule sets 108. The matched natural language policy ruleis then populated with the identified attributes in step 306. The method300 then determines if the attribute populated natural language policyrule is a well-formed rule in step 308. If the rule is not well formed,the process returns to step 304 and identifies another possible naturallanguage policy rule match. If the rule is well formed, the policycomposer 104 generates logical access control code corresponding to theattribute populated natural language policy rule in step 310. The logicand attributes identified are then presented to the user to confirm thatthe proposed translation is what the user intended in step 312. If theuser is dissatisfied with the logical access control code, the method300 returns to step 304 and makes another attempt to identify possiblenatural language policy rule matches. If they user is satisfied with thelogical access control code, the logical access control code is exportedto the policy archive 114 or deployed for use by the policy controlsystem in step 314.

Referring to FIG. 4, a system for policy text characteristic analysis400 will now be described in detail. The policy samples 414, 416, 418 inthe identified natural language policy sets 412 may be analyzed toidentify various natural language policy text characteristics 404, 406,408 and 410 associated with the natural language policy texts 402. Thenatural language policy text 402 includes a variety of natural languagepolicy characteristics, including entities characteristics 404, syntaxcharacteristics 406, content classification characteristics 408, andlanguage characteristics 410. It is noted that the above characteristicsare non-limiting examples, and that any number of natural languagepolicy sets 412 may be analyzed to obtain any number of the above orother text characteristics.

In one embodiment, text characteristics of a natural language policysets 412 may be determined by performing natural language processing(NLP) and/or other processes on the policy samples 414, 416 and 418 andthen analyzing output of the NLP or other processes. Additionally, inone embodiment, the analysis of NLP or other processes may includedeterminations of logic (e.g., greater than or equal to, etc.),combining algorithms (e.g., deny unless permit, etc.), spelling errors,grammatical errors, and invalid input. Attributes of the textcharacteristics of the policy samples 414, 416 and 418 in a respectivenatural language policy set 412 may be averaged so as to produce overalltext characteristics for the policy type.

Referring to FIG. 5, the process 500 for identification and translationof natural language policy rules is shown. Once a natural languagepolicy text 102 is input into the policy composer 104, various naturallanguage processing tasks are performed on the text, to include but notbe limited to named entity recognition, part-of-speech tagging,lemmatization, and morphological segmentation in step 502. The policycomposer 104 then checks the natural language policy sets 108 for thepresence of similar items discovered from its prior tasks in step 506.These similar items are discovered based on the metadata per each item.

For example, consider the sentence, “Employees can only access recordsin their own department.” The word, “employees,” may be recognized as anamed entity in step 502 (the natural language processing tasks) and mayhave a salience score of 0.67 out 1.00. In step 504—checking policysample sets for similar items the policy composer 104 may discover apreviously translated policy that used the same word or its singularform based on its characteristics, such as it being a named entity and asalience above a 0.50. In this example and in this embodiment, thepreviously used word “employee” discovered in the policy sample set wasassigned the XAMCL attribute category of“urn:oasis:names:tc:xacml:1.0:subject-category:access-subject,”AttributeId of “employee,” and DataType of“http://www.w3.org/2001/XMLSchema#string.”

Subsequently, the similar items discovered in the Policy Sample Sets areassociated with the items in the text in step 506. Continuing theexample above, the word “employee” is now assigned the metadata from theword “employee” that was used in a previous translated policy. So, it isnow assigned the XACML attribute category of“urn:oasis:names:tc:xacm1:1.0:subject-category:access-subject,”AttributeIdof “employee,” and DataType of“http://www.w3.org/2001/XMLSchema#string.”

After the associations are complete for items that are not the logicalconditions to permit or deny access (e.g. subjects, resources, etc.),then the logical conditions are compared to known logical conditions inthe natural language policy sets 508. The match with the strongestconfidence score above a specific minimum confidence score is associatedwith the logical conditions in the text. This association between thelogical conditions from the natural language policy sets 108 and thelogical conditions in the text also associates specific XACMLfunction(s).

In this embodiment, consider our previously mentioned example. Thewords, “can only access,” would be translated to a “permit” effect. Thewords, “in their own department,” contains a possession modifier(“their”) and an adjectival modifier (“own”). These words will triggerthe policy composer 508 to create logic in XACML that compare thedepartment of the employee to the department of the record he or she isaccessing.

After the logic is translated to XACML, the policy composer now seeks toput the rules into PolicySet and Policy nodes (components of a XACMLpolicy structure) in step 510. It may create PolicySet and/or Policynodes based on multiple factors, such as proximity in the originalprovided natural language text and content classification from the priortext analysis. Once these PolicySet and Policy nodes are created, rulesare appropriately placed in them.

Subsequently, an XML file in XACML format is created which can beimported into any XACML compliant system in step 512.

It should be appreciated that other items present in a typical XACMLfile are generated automatically or may be configured with user input.

Referring to FIG. 6, the process 600 used by the policy composer 104 toidentify rules in natural language policy text 102 and translate therules into code compliant with the NGAC standard developed by NationalInstitute of Standards and Technology (NIST).

Once a natural language policy text source 102 is input into the system,the policy composer 104 performs various natural language processingtasks on the text, to include but not be limited to named entityrecognition, part-of-speech tagging, lemmatization, and morphologicalsegmentation in step 602. Subsequently, the policy composer 104communicates with natural language policy sets 108 for presence ofsimilar items discovered from its prior tasks in step 604. These similaritems are discovered based on the metadata per each item. The policycomposer 104 associates items in the natural language policy text 102with terms from the natural language policy sets 108 in step 606

For example, consider the sentence used in the previous example,“Employees can only access records in their own department.” The word,“employees,” may be recognized as a named entity in step 602 (thenatural language processing tasks) and may have a salience score of 0.77out 1.00. In step 604—checking natural language policy sets 108 forsimilar items—may discover a previously translated policy that used thesame word or its singular form based on its characteristics, such as itbeing a named entity and a salience above a 0.50. In this example and inthis embodiment, the previously used word “employee” discovered in thenatural language policy set 108 was assigned as a user attribute whichentails “read access” on public information. So, the discovered word“employees,” in this example, may be assigned with the code to createthis employee user attribute, “long employeeID=graph.createNode(newNode(rand.nextLong( ) “Employee”, UA, null));” This code effectivelycreates a user attribute in the NGAC access control graph, arepresentation of access control policy as a graph.

Additionally, we know that this assigned employee user attribute alsohad an association with “read” access. The code for this, specifically,looks like this, “graph.associate(new Node(employeeID, UA), newNode(publicID, OA), r);” This code effectively allows users assigned theemployee attribute to read public information. As this is associatedwith the employee attribute, it is now assigned to the newly discoveredword “employees” too by the Policy Composer.

This “publicID” that was discovered was a previously used objectattribute. It was created with code that looked like this, “longpublicID=graph.createNode(new Node(rand.nextLong( ), “Public Info”, OA,null));” Take note that one of the parameters says, “Public Info.” Basedon its discovery, the policy composer 104 will check for similar orrelated word(s) in the text, if one was not already discovered. When oneis discovered it will be used in direct coordination with the employeeattribute already described above.

Once all attributes have been discovered (e.g., the user and objectattributes) and all associations that assigned that were previously usedif relevant, the logic stated in the original natural language policytext 102 will be translated into the assignments and associations usedin NGAC in step 608.

The previously used example—the one referring to employees accessingtheir own records—is already complete, since there were prior policieswith similar language. But let's assume there's content in the sameinput text that is unique. For example, let's assume no priorassociations in the natural language policy sets 108 were found for thelogic in the sentence, “Alice can read and write her SSN.” Let's beginwith “read and write her SSN.” Object attributes were already createdfor SSN and read/write access. By creating the assignments andpopulating their parameters dynamically, we translate the naturallanguage in the text to logical policy, “graph.assign(newNode(aliceSSNID, O), new Node(aliceID, OA)); graph.assign(newNode(aliceSSNID, O), new Node(aliceRWID, OA));” The association occursfor Alice as an individual, “graph.associate(new Node(aliceUAID, UA),new Node(aliceRWID, OA), rw);” As we have illustrated, there have beentwo paths to converting the text into logic: either by finding the logicthrough finding strongly related examples in the Policy Sample Sets orby using natural language processing with algorithms to populate it.

As mentioned, code is only complete if it meets a syntactically correctcode statement (e.g., meeting the required parameters). The policycomposer 104 divides the natural language policy text 104 into codebased on whether or not sufficient parameters are present to complete astatement in step 610. The statements are converted from natural text toNGAC policy code by the policy composer 108 and the file is generated asa whole which may be then be used. The NGAC policy code output formatmay be in a file format such as Java.

It should be appreciated that other items present in a typical NGACpolicy are generated automatically or may be configured with user input.The embodiment described above illustrates how the disclosed inventionmay be used to translate natural language to various kinds of logicalaccess control, as long as the components of entities (known as users inNGAC) requesting access to resources (known as objects in NGAC) exist inthe text.

With reference to FIG. 7, the user experience 700 is shown. The user maychoose what the type of output policy may be, such as XACML or NGAC instep 702. After doing so, the user may choose the source of a naturallanguage policy text 102, such as uploading a text document (e.g.Microsoft Word document) into the application is shown in step 704.After this, the user may choose if he or she wishes to define anycomponents beforehand, such as attributes, although this is not requiredin step 706. After this, the policy translation system describedtranslates the natural language policy text 102 to the desired output,such as XACML, in step 708. After the translation is complete, the useris displayed with a prompt in this embodiment in step 710. This promptshows the completed translation (e.g. XACML), a summary of the policy innatural language (e.g., what attributes are defined in XACML and whatthe rules do), and the ability to select components (e.g., a particularattribute or a rule). If the client decides to make changes in step 712,a selected component (e.g. attribute or rule) may be chosen to bealtered or removed in step 718. An additional option shown in the promptis to scan for additional attributes. Once the user has made theirchoices, the a new policy is generated in step 708. Once the new policyis generated, the prompt with the options described is shown again atstep 712. Once the user chooses not to change anything, the policy isgenerated in its desired format (e.g. XACML or NGAC) in step 714.

At this time, the policy may be exported or deployed in step 716.Exporting may include downloading the file to an information system.Deployment may include committing the policy file to an access controlsystem for immediate use.

In accordance with FIG. 8, a representative data center 800 is shown.Users 802 connect using a communication network 804 to a gateway 806.The gateway 806 communicates with a router 810. The router 810communicates with a server manager 812 and servers 814. The servermanager 812 communicates with the servers 814. Each server 814 includesvirtual machines 816 and a manager 818.

FIG. 9 illustrates an example machine of a computer system within whicha set of instructions, for causing the machine to perform any one ormore of the methodologies discussed herein, may be executed. Inalternative implementations, the machine may be connected (e.g.,networked) to other machines in a LAN, an intranet, an extranet, and/orthe Internet. The machine may operate in the capacity of a server or aclient machine in client-server network environment, as a peer machinein a peer-to-peer (or distributed) network environment, or as a serveror a client machine in a cloud computing infrastructure or environment.

The machine may be a personal computer (PC), a tablet PC, a set-top box(STB), a Personal Digital Assistant (PDA), a cellular telephone, a webappliance, a server, a network router, a switch or bridge, or anymachine capable of executing a set of instructions (sequential orotherwise) that specify actions to be taken by that machine. Further,while a single machine is illustrated, the term “machine” shall also betaken to include any collection of machines that individually or jointlyexecute a set (or multiple sets) of instructions to perform any one ormore of the methodologies discussed herein.

The example computer system 900 includes a processing device 002, a mainmemory 904 (e.g., read-only memory (ROM), flash memory, dynamic randomaccess memory (DRAM) such as synchronous DRAM (SDRAM) or Rambus DRAM(RDRAM), etc.), a static memory 906 (e.g., flash memory, static randomaccess memory (SRAM), etc.), and a data storage device 918, whichcommunicate with each other via a bus 930.

Processing device 902 represents one or more general-purpose processingdevices such as a microprocessor, a central processing unit, or thelike. More particularly, the processing device may be complexinstruction set computing (CISC) microprocessor, reduced instruction setcomputing (RISC) microprocessor, very long instruction word (VLIW)microprocessor, or processor implementing other instruction sets, orprocessors implementing a combination of instruction sets. Processingdevice 1002 may also be one or more special-purpose processing devicessuch as an application specific integrated circuit (ASIC), a fieldprogrammable gate array (FPGA), a digital signal processor (DSP),network processor, or the like. The processing device 1002 is configuredto execute instructions 926 for performing the operations and stepsdiscussed herein. In one embodiment, the computer system 900 may use amotherboard with PLX chip to optimize use of PCIe lanes of themotherboard.

The computer system 900 may further include a network interface device908 to communicate over the network 920. The computer system 900 alsomay include a video display unit 910 (e.g., a liquid crystal display(LCD) or a cathode ray tube (CRT)), an alphanumeric input device 912(e.g., a keyboard), a cursor control device 1014 (e.g., a mouse), agraphics processing unit 922, a signal generation device 916 (e.g., aspeaker), graphics processing unit 922, video processing unit 928, andaudio processing unit 932.

The data storage device 918 may include a machine-readable storagemedium 924 (also known as a computer-readable medium) on which is storedone or more sets of instructions or software 926 embodying any one ormore of the methodologies or functions described herein. Theinstructions 926 may also reside, completely or at least partially,within the main memory 904 and/or within the processing device 902during execution thereof by the computer system 900, the main memory 904and the processing device 902 also constituting machine-readable storagemedia.

In one implementation, the instructions 926 include instructions toimplement functionality corresponding to the components of a device toperform the disclosure herein. While the machine-readable storage medium924 is shown in an example implementation to be a single medium, theterm “machine-readable storage medium” should be taken to include asingle medium or multiple media (e.g., a centralized or distributeddatabase, and/or associated caches and servers) that store the one ormore sets of instructions. The term “machine-readable storage medium”shall also be taken to include any medium that is capable of storing orencoding a set of instructions for execution by the machine and thatcause the machine to perform any one or more of the methodologies of thepresent disclosure. The term “machine-readable storage medium” shallaccordingly be taken to include, but not be limited to, solid-statememories, optical media and magnetic media.

Some portions of the preceding detailed descriptions have been presentedin terms of algorithms and symbolic representations of operations ondata bits within a computer memory. These algorithmic descriptions andrepresentations are the ways used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm is here, and generally,conceived to be a self-consistent sequence of operations leading to adesired result. The operations are those requiring physicalmanipulations of physical quantities. Usually, though not necessarily,these quantities take the form of electrical or magnetic signals capableof being stored, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, elements, symbols, characters,terms, numbers, or the like.

In general, the terms “engine” and “module”, as used herein, refer tologic embodied in hardware or firmware, or to a collection of softwareinstructions, possibly having entry and exit points, written in aprogramming language, such as, for example, Java, Lua, C or C++. Asoftware module may be compiled and linked into an executable program,installed in a dynamic link library, or may be written in an interpretedprogramming language such as, for example, BASIC, Perl, or Python. Itwill be appreciated that software modules may be callable from othermodules or from themselves, and/or may be invoked in response todetected events or interrupts. Software modules configured for executionon computing devices may be provided on one or more computer readablemedia, such as a compact discs, digital video discs, flash drives, orany other tangible media. Such software code may be stored, partially orfully, on a memory device of the executing computing device. Softwareinstructions may be embedded in firmware, such as an EPROM. It will befurther appreciated that hardware modules may be comprised of connectedlogic units, such as gates and flip-flops, and/or may be comprised ofprogrammable units, such as programmable gate arrays or processors. Themodules described herein are preferably implemented as software modules,but may be represented in hardware or firmware. Generally, the modulesdescribed herein refer to logical modules that may be combined withother modules or divided into sub-modules despite their physicalorganization or storage

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the above discussion, itis appreciated that throughout the description, discussions utilizingterms such as “identifying” or “determining” or “executing” or“performing” or “collecting” or “creating” or “sending” or the like,refer to the action and processes of a computer system, or similarelectronic computing device, that manipulates and transforms datarepresented as physical (electronic) quantities within the computersystem's registers and memories into other data similarly represented asphysical quantities within the computer system memories or registers orother such information storage devices.

The present disclosure also relates to an apparatus for performing theoperations herein. This apparatus may be specially constructed for theintended purposes, or it may comprise a general purpose computerselectively activated or reconfigured by a computer program stored inthe computer. Such a computer program may be stored in a computerreadable storage medium, such as, but not limited to, any type of diskincluding floppy disks, optical disks, CD-ROMs, and magnetic-opticaldisks, read-only memories (ROMs), random access memories (RAMs), EPROMs,EEPROMs, magnetic or optical cards, or any type of media suitable forstoring electronic instructions, each coupled to a computer system bus.

Various general purpose systems may be used with programs in accordancewith the teachings herein, or it may prove convenient to construct amore specialized apparatus to perform the method. The structure for avariety of these systems will appear as set forth in the descriptionabove. In addition, the present disclosure is not described withreference to any particular programming language. It will be appreciatedthat a variety of programming languages may be used to implement theteachings of the disclosure as described herein.

The present disclosure may be provided as a computer program product, orsoftware, that may include a machine-readable medium having storedthereon instructions, which may be used to program a computer system (orother electronic devices) to perform a process according to the presentdisclosure. A machine-readable medium includes any mechanism for storinginformation in a form readable by a machine (e.g., a computer). Forexample, a machine-readable (e.g., computer-readable) medium includes amachine (e.g., a computer) readable storage medium such as a read onlymemory (“ROM”), random access memory (“RAM”), magnetic disk storagemedia, optical storage media, flash memory devices, etc.

The foregoing description is merely illustrative in nature and is in noway intended to limit the disclosure, its application, or uses. Thebroad teachings of the disclosure can be implemented in a variety offorms. Therefore, while this disclosure includes particular examples,the true scope of the disclosure should not be so limited since othermodifications will become apparent upon a study of the drawings, thespecification, and the following claims.

What is claimed:
 1. A system for translating natural language policytext into logical access control policy code, comprising: a policycomposer to receive a sequence of free text natural language policy textstrings provided by a user; an attribute dictionary communicablyconnected to the policy composer defining attributes and their logicalaccess control policy equivalents; a natural language policy setcommunicably connected to the policy composer with samples of naturallanguage policy rules and their logical access control policyequivalents; wherein the policy composer is configured to use naturallanguage processing to identify a plurality of candidate attributes inthe sequence of free text natural language policy text strings and storethe candidate attributes in the attribute dictionary; and wherein thepolicy composer uses the attribute dictionary and the natural languagepolicy set to translate the input natural language policy text stringsinto logical access control code.
 2. The system of claim 1, wherein thelogical access control code is in XACML format.
 3. The system of claim1, wherein the logical access control code is in NGAC format.
 4. Thesystem of claim 1, wherein the attribute dictionary is populated withattributes from the natural language policy set.
 5. The system of claim1, wherein the attribute dictionary is populated by user input.
 6. Thesystem of claim 1, wherein the natural language processing comprisesnamed entity recognition that identifies a named entity that is a stringin the input free text natural language policy text strings, wherein afirst natural language policy set includes metadata for the named entityfrom a previously translated policy.
 7. The system of claim 1, whereinthe natural language processing comprises morphological segmentation. 8.A method for translating natural language policy text into logicalaccess control policy code, comprising: receiving a sequence of freetext natural language policy text strings input by a user to a policycomposer; using natural language processing to identify a plurality ofcandidate attributes in the sequence of free text natural languagepolicy text strings and store the candidate attributes in an attributedictionary; identifying a plurality of candidate natural language policyrules from a natural language policy set; using the attribute dictionaryand the natural language policy set to translate the input naturallanguage policy text strings into logical access control code; andstoring the logical access control code in a policy archive.
 9. Themethod of claim 8, wherein the logical access control code is in XACMLformat.
 10. The method of claim 8, wherein the logical access controlcode is in NGAC format.
 11. The method of claim 8, wherein the attributedictionary is populated with attributes from the natural language policyset.
 12. The method of claim 8, wherein the attribute dictionary ispopulated by user input.
 13. The method of claim 8, wherein the naturallanguage processing comprises named entity recognition that identifies anamed entity that is a string in the input free text natural languagepolicy text strings, wherein a first natural language policy setincludes metadata for the named entity from a previously translatedpolicy.
 14. The method of claim 8, wherein the natural languageprocessing comprises morphological segmentation.
 15. A non-transitorycomputer-readable medium comprising instructions for translating naturallanguage policy text into logical access control policy code, thenon-transitory computer-readable medium comprising instructions for:receiving a sequence of free text natural language policy text stringsinput by a user to a policy composer; using natural language processingto identify a plurality of candidate attributes in the sequence of freetext natural language policy text strings and store the candidateattributes in an attribute dictionary; identifying a plurality ofcandidate natural language policy rules from a natural language policyset; using the attribute dictionary and the natural language policy setto translate the input natural language policy text strings into logicalaccess control code; and storing the logical access control code in apolicy archive.
 16. The non-transitory computer-readable medium of claim15, wherein the logical access control code is in XACML format.
 17. Thenon-transitory computer-readable medium of claim 15, wherein the logicalaccess control code is in NGAC format.
 18. The non-transitorycomputer-readable medium of claim 15, wherein the attribute dictionaryis populated with attributes from the natural language policy set. 19.The non-transitory computer-readable medium of claim 15, wherein theattribute dictionary is populated by user input.
 20. The non-transitorycomputer-readable medium of claim 15, wherein the natural languageprocessing comprises named entity recognition that identifies a namedentity that is a string in the input free text natural language policytext strings, wherein a first natural language policy set includesmetadata for the named entity from a previously translated policy.